feat: sbom-generation (#3)

Co-authored-by: Richard Attermeyer <richard.attermeyer@opitz-consulting.com>
Reviewed-on: https://git.192.168.1.151.nip.io:8543/fjadmin/ci-demo-2/pulls/3

.idea/jpa-buddy.xml

@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
   <component name="JpaBuddyIdeaProjectConfig">
+    <option name="defaultUnitInitialized" value="true" />
     <option name="renamerInitialized" value="true" />
   </component>
 </project>

.idea/misc.xml

@@ -1,6 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
   <component name="ExternalStorageConfigurationManager" enabled="true" />
+  <component name="FrameworkDetectionExcludesConfiguration">
+    <file type="web" url="file://$PROJECT_DIR$" />
+  </component>
   <component name="ProjectRootManager" version="2" languageLevel="JDK_21" project-jdk-name="19" project-jdk-type="JavaSDK" />
   <component name="ProjectType">
     <option name="id" value="jpab" />

.sdkmanrc

@@ -0,0 +1,3 @@
+# Enable auto-env through the sdkman_auto_env config
+# Add key=value pairs of SDKs to use below
+java=17.0.8-tem

.woodpecker/.backend.yml

@@ -1,4 +1,6 @@
 ---
+variables:
+  - &java_image "gradle:8.4.0-jdk17"
 when:
   path: "app/**"
 clone:
@@ -9,7 +11,7 @@ clone:
 steps:
   "lint:style":
     group: lint
-    image: gradle:8.4.0-jdk17
+    image: *java_image
     commands:
       - gradle spotlessCheck --no-daemon
   "lint:hadolint":
@@ -19,8 +21,12 @@ steps:
       - hadolint --version
   "build:java":
     group: build
-    image: gradle:8.4.0-jdk17
+    image: *java_image
     commands:
       - ./gradlew build
+  "analyze:sbom":
+    image: *java_image
+    commands:
+      - ./gradlew cyclonedxBom
 depends_on:
   - "lint_general"

.woodpecker/.frontend.yml

@@ -14,26 +14,39 @@ steps:
     commands:
       - pnpm install
     directory: frontend
+
   "lint:style":
     image: *frontend_image
     commands:
       - pnpm run prettier
     directory: frontend
+
   "lint:analyze":
     image: *frontend_image
     commands:
       - pnpm run lint
     directory: frontend
+
   "build:frontend":
     image: *frontend_image
     commands:
       - pnpm run build
     directory: frontend
+
   "build:tsc":
     image: *frontend_image
     commands:
       - pnpm add typescript
       - pnpm run typecheck
     directory: frontend
+
+  "analyze:sbom":
+    image: *frontend_image
+    commands:
+      - rm -rf node_modules
+      - npm install
+      - npx @cyclonedx/cyclonedx-npm --output-file bom.json
+    directory: frontend
+
 depends_on:
   - "lint_general"

app/build.gradle.kts

@@ -2,11 +2,34 @@
  * This file was generated by the Gradle 'init' task.
  */
 
-plugins { id("com.opitzconsulting.demo.ci.java-application-conventions") }
+plugins {
+  id("com.opitzconsulting.demo.ci.java-application-conventions")
+  id("org.springframework.boot") version "3.1.5"
+  id("io.spring.dependency-management") version "1.1.3"
+}
 
 dependencies {
   implementation("org.apache.commons:commons-text")
   implementation(project(":utilities"))
+  implementation("org.springframework.boot:spring-boot-starter-actuator")
+  implementation("org.springframework.boot:spring-boot-starter-data-jpa")
+  implementation("org.springframework.boot:spring-boot-starter-security")
+  implementation("org.springframework.boot:spring-boot-starter-web")
+  implementation("org.springframework.modulith:spring-modulith-starter-core")
+  implementation("org.springframework.modulith:spring-modulith-starter-jpa")
+  runtimeOnly("org.postgresql:postgresql")
+  runtimeOnly("org.springframework.modulith:spring-modulith-actuator")
+  runtimeOnly("org.springframework.modulith:spring-modulith-observability")
+  testImplementation("org.springframework.boot:spring-boot-starter-test")
+  testImplementation("org.springframework.boot:spring-boot-testcontainers")
+  testImplementation("org.springframework.modulith:spring-modulith-starter-test")
+  testImplementation("org.springframework.security:spring-security-test")
+  testImplementation("org.testcontainers:junit-jupiter")
+  testImplementation("org.testcontainers:postgresql")
+}
+
+dependencyManagement {
+  imports { mavenBom("org.springframework.modulith:spring-modulith-bom:1.0.2") }
 }
 
 application {

build.gradle.kts

@@ -2,6 +2,8 @@ plugins { id("com.diffplug.spotless") version "6.22.0" }
 
 repositories { mavenCentral() }
 
+allprojects { version = "0.1" }
+
 spotless {
   encoding("UTF-8")
   java {

buildSrc/build.gradle.kts

@@ -12,3 +12,8 @@ repositories {
   // Use the plugin portal to apply community plugins in convention plugins.
   gradlePluginPortal()
 }
+
+dependencies {
+  // Use the Kotlin DSL plugin API to apply plugins from the Gradle Plugin Portal.
+  implementation("org.cyclonedx.bom:org.cyclonedx.bom.gradle.plugin:1.7.2")
+}

buildSrc/src/main/kotlin/com.opitzconsulting.demo.ci.java-common-conventions.gradle.kts

@@ -5,6 +5,7 @@
 plugins {
   // Apply the java Plugin to add support for Java.
   java
+  id("org.cyclonedx.bom")
 }
 
 repositories {
@@ -31,3 +32,15 @@ tasks.named<Test>("test") {
   // Use JUnit Platform for unit tests.
   useJUnitPlatform()
 }
+
+tasks.cyclonedxBom {
+  setIncludeConfigs(listOf("runtimeClasspath"))
+  setSkipConfigs(listOf("compileClasspath", "testCompileClasspath"))
+  setProjectType("application")
+  setSchemaVersion("1.5")
+  setDestination(project.file("build/reports"))
+  setOutputName("bom")
+  setOutputFormat("json")
+  setIncludeBomSerialNumber(false)
+  setComponentVersion("2.0.0")
+}

frontend/.prettierignore

@@ -1,3 +1,4 @@
 # Ignore artifacts:
 build
 coverage
+pnpm-lock.yaml

frontend/README.md

@@ -7,7 +7,7 @@
 From your terminal:
 
 ```sh
-npm run dev
+pnpm run dev
 ```
 
 This starts your app in development mode, rebuilding assets on file changes.
@@ -17,13 +17,13 @@ This starts your app in development mode, rebuilding assets on file changes.
 First, build your app for production:
 
 ```sh
-npm run build
+pnpm run build
 ```
 
 Then run the app in production mode:
 
 ```sh
-npm start
+pnpm start
 ```
 
 Now you'll need to pick a host to deploy it to.

gradle.properties

@@ -0,0 +1 @@
+org.gradle.caching=true

package.json

@@ -0,0 +1,5 @@
+{
+	"devDependencies": {
+		"@commitlint/config-conventional": "^18.1.0"
+	}
+}

pnpm-lock.yaml

@@ -0,0 +1,49 @@
+lockfileVersion: '6.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+devDependencies:
+  '@commitlint/config-conventional':
+    specifier: ^18.1.0
+    version: 18.1.0
+
+packages:
+
+  /@commitlint/config-conventional@18.1.0:
+    resolution: {integrity: sha512-8vvvtV3GOLEMHeKc8PjRL1lfP1Y4B6BG0WroFd9PJeRiOc3nFX1J0wlJenLURzl9Qus6YXVGWf+a/ZlbCKT3AA==}
+    engines: {node: '>=v18'}
+    dependencies:
+      conventional-changelog-conventionalcommits: 7.0.2
+    dev: true
+
+  /array-ify@1.0.0:
+    resolution: {integrity: sha512-c5AMf34bKdvPhQ7tBGhqkgKNUzMr4WUs+WDtC2ZUGOUncbxKMTvqxYctiseW3+L4bA8ec+GcZ6/A/FW4m8ukng==}
+    dev: true
+
+  /compare-func@2.0.0:
+    resolution: {integrity: sha512-zHig5N+tPWARooBnb0Zx1MFcdfpyJrfTJ3Y5L+IFvUm8rM74hHz66z0gw0x4tijh5CorKkKUCnW82R2vmpeCRA==}
+    dependencies:
+      array-ify: 1.0.0
+      dot-prop: 5.3.0
+    dev: true
+
+  /conventional-changelog-conventionalcommits@7.0.2:
+    resolution: {integrity: sha512-NKXYmMR/Hr1DevQegFB4MwfM5Vv0m4UIxKZTTYuD98lpTknaZlSRrDOG4X7wIXpGkfsYxZTghUN+Qq+T0YQI7w==}
+    engines: {node: '>=16'}
+    dependencies:
+      compare-func: 2.0.0
+    dev: true
+
+  /dot-prop@5.3.0:
+    resolution: {integrity: sha512-QM8q3zDe58hqUqjraQOmzZ1LIH9SWQJTlEKCH4kJ2oQvLZk7RbQXvtDM2XEq3fwkV9CCvvH4LA0AV+ogFsBM2Q==}
+    engines: {node: '>=8'}
+    dependencies:
+      is-obj: 2.0.0
+    dev: true
+
+  /is-obj@2.0.0:
+    resolution: {integrity: sha512-drqDG3cbczxxEJRoOXcOjtdp1J/lyp1mNn0xaznRs8+muBhgQcrnbspox5X5fOw0HnMnbfDzvnEMEtqDEJEo8w==}
+    engines: {node: '>=8'}
+    dev: true